Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability
Moderate severity
GitHub Reviewed
Published
Jun 9, 2021
in
jetty/jetty.project
•
Updated Feb 1, 2023
Package
Affected versions
<= 9.4.40
>= 10.0.0, <= 10.0.2
>= 11.0.0, <= 11.0.2
Patched versions
9.4.41
10.0.3
11.0.3
Description
Published by the National Vulnerability Database
Jun 9, 2021
Reviewed
Jun 9, 2021
Published to the GitHub Advisory Database
Jun 10, 2021
Last updated
Feb 1, 2023
Requests to the
ConcatServletandWelcomeFilterare able to access protected resources within theWEB-INFdirectory. For example a request to theConcatServletwith a URI of/concat?/%2557EB-INF/web.xmlcan retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.This occurs because both
ConcatServletandWelcomeFilterdecode the supplied path to verify it is not within theWEB-INForMETA-INFdirectories. It then uses this decoded path to callRequestDispatcherwhich will also do decoding of the path. This double decoding allows paths with a doubly encodedWEB-INFto bypass this security check.Impact
This affects all versions of
ConcatServletandWelcomeFilterin versions before 9.4.41, 10.0.3 and 11.0.3.Workarounds
If you cannot update to the latest version of Jetty, you can instead deploy your own version of the
ConcatServletand/or theWelcomeFilterby using the code from the latest version of Jetty.References